Connected CloudPets Toys Expose Two Million Children Voice Recordings

How about that? 2 million voice recordings of children and parents, together with e-mail addresses and passwords belonging to 800,000 accounts have been exposed. The reason? Insecure Internet-connected stuffed animal toys!

The story doesn’t end here. All this extremely sensitive data was publicly accessible via an open database which was left unprotected. The database didn’t have either a password or a firewall, making it dangerously easy for anyone to access it.

This dreadful discovery was made by Troy Hunt, the owner of the Have I Been Pwned? project, who wrote:

Now firstly, put yourself in the shoes of the average parent, that is one who’s technically literate enough to know the wifi password but not savvy enough to understand how the “magic” of daddy talking to the kids through the bear (and vice versa) actually works. They don’t necessarily realise that every one of those recordings – those intimate, heartfelt, extremely personal recordings – between a parent and their child is stored as an audio file on the web. They certainly wouldn’t realise that in CloudPets’ case, that data was stored in a MongoDB that was in a publicly facing network segment without any authentication required and had been indexed by Shodan (a popular search engine for finding connected things).

In technical details, the sensitive data was exposed by CloudPets – the stuffed animal tors produced by Spiral Toys. What are the toys for, you are perhaps wondering. They record and play voice messages which parents and children can send over the Internet. The database at fault, to no one’s surprise, is a MongoDB one having 821,296 account records and stored by a Romanian company. Spiral Toys had a contract with that company, and according to Hunt, people tried to notify the toy manufacturer about the serious breach.

But that’s not all of it! The data which was indexed by the Shodan search engine was accessed many times by different parties, cybercriminals included. The data was also exposed to ransom demands, as it was held by crooks.

What Did California-Based Spiral Toys Respond?

As reported by Network World, on Monday, the California-based company claimed it never received any warnings of a privacy-related incident.

“The headlines that say 2 million messages were leaked on the internet are completely false,” the company claimed. It became aware of the incident after a reporter from Vice Media contacted them last week. “We looked at it and thought it was a very minimal issue”.

That’s just another example of how bad Internet-connected things can turn. Have a look at Troy Hunt’s full investigation.